Johnson & Johnson has issued a security warning about one of its products:
Johnson & Johnson on Tuesday issued a warning about a possible cybersecurity issue with its Animas OneTouch Ping Insulin Infusion Pump. The problem was first reported by Reuters.
Computer security firm Rapid 7 discovered that it might be possible to take control of the pump via its an unencrypted radio frequency communication system that allows it to send commands and information via a wireless remote control. The company alerted Johnson & Johnson, which issued the warning. Getting too high or too low a dose of insulin could severely sicken or even kill. There have been no instances of the pumps being hacked, Johnson & Johnson said.
This discussion has been archived.
No new comments can be posted.
Johnson & Johnson Issues Security Warning About Insulin Pump
|
Log In/Create an Account
| Top
| 28 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(Score: 2) by Runaway1956 on Wednesday October 05 2016, @01:41PM
WTF does an important health care device need a WIRELESS connection, to anything? Way back in the earliest of the 1900's the army figured out that wired communications could be made secure, but wireless communications could not. Little has changed since. In this case, they didn't even attempt to make it secure. Unencrypted wireless connection? What could possibly go wrong?
Hail to the Nibbler in Chief.
(Score: 2, Insightful) by Snow on Wednesday October 05 2016, @03:04PM
I think it's pretty obvious why wireless is the preferred option here. Unless you want a micro-USB port sticking out of your body (there is a docking joke in there somewhere...). Leaving it unencrypted is pretty negligent though...
(Score: 0) by Anonymous Coward on Wednesday October 05 2016, @03:12PM
Obligatory XKCD [xkcd.com]
(Score: 2) by mcgrew on Wednesday October 05 2016, @04:56PM
The pump isn't inside the body. I think you need some more coffee. It's a PUMP that injects insulin. If the whole thing were installed inside your body, how would you refill or recharge it? Of course it has some sort of jack or plug to recharge the battery, and I'll bet it's a USB port.
There is ZERO reason to have these things in any way hackable. Putting bluetooth in them was idiotic. If there's no reason to have a device on a network, KEEP IT OFF THE NETWORK.
Carbon, The only element in the known universe to ever gain sentience
(Score: 2) by Snow on Wednesday October 05 2016, @05:12PM
Ahh, good call. I didn't actually click the link or anything, but what you say makes perfect sense.
-- Snow
(Score: 2) by PocketSizeSUn on Wednesday October 05 2016, @06:30PM
There are both kinds of drug pumps. Implanted and external.
Most of the insulin ones are external (The ones I've seen look like a pager attached to a belt) with a fixed drip line (that also has it's own issues).
For the implanted pump the reservoir is usually refilled with a needle. Not sure about external pumps.
(Score: 2) by Runaway1956 on Wednesday October 05 2016, @05:39PM
Let me think about this for just a moment . . . .
They are sticking some foreign object into your body already, right? Just how difficult would it be to put a jack into your body, with which to connect to the device? I mean - there you have the body, insert part A, and part B on a trailing tail. Need it be USB? How about at least micro-USB? I'm not into medicine, really, but where does that first implant go? Somewhere in the trunk of the body, I suppose. Wonder how irritating a micro-USB would be sitting in your navel?
What I think is, not enough crazy people are thinking outside the box here. You certainly don't want everything you rely on to be connected wirelessly to the great IOT. That's just insane.
Hail to the Nibbler in Chief.
(Score: 2) by HiThere on Wednesday October 05 2016, @06:58PM
The traditional answer was a device that requires a magnetic (I think) induction loop to be placed ON the body and held in position while adjusting the device. This is certainly the approach used by my wife's pacemaker. No USB port but also no distance adjustment. Even for an external device this would have it's points, as it would avoid jostling what must be a sensitive connection. (I've had USB ports that required considerable force to use.)
But wireless?!? That's just insane. And unencrypted wireless? They must WANT the devices to be compromised.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 2) by Username on Wednesday October 05 2016, @03:21PM
Because encryption is pointless and only adds to complexity. Look at ATSC, it’s all open anyone can disrupt it, or hijack it, but no one does. It’s not even a felony A to do so.
I wouldn’t want a wireless infusion pump either, but that’s mainly for stability reasons. If I wanted to kill someone via infusion pump, it wouldn’t really matter if it was wireless or not.
(Score: 2) by DannyB on Wednesday October 05 2016, @04:05PM
You could always get a syringe full of insulin and jab them with it.
But then, they could drink a bottle of pancake syrup (not the "lite" kind) and head to the ER.
Insulin and syringes are over the counter in most states.
Of course, I remember when my daughter was much younger, and for some odd reason, we had run out of syringes, and I went to Walgreens about midnight, in jogging sweats, to buy a box of syringes. The day staff recognized us. But not the night staff. That made for funny looks. And "who is the patent?" "What kind of insulin does she inject?" Of course, I knew the answers, and they sold me the syringes. But I could see why people would buy these for injecting drugs.
Is there a chemotherapy treatment for excessively low blood alcohol level?
(Score: 3, Insightful) by butthurt on Wednesday October 05 2016, @03:24PM
> WTF does an important health care device need a WIRELESS connection, to anything?
One use is mentioned in the article: to "order the pump to give [...] a dose of insulin." For an insulin pump, I would suppose that is a key feature.
> Way back in the earliest of the 1900's the army figured out that wired communications could be made secure, but wireless communications could not.
Wires can be cut; wires can be tapped; wires can be seen; wires can be followed; misleading signals or damaging currents can be fed into wires or induced in them.
The German military made limited use of frequency hopping for communication between fixed command points in World War I to prevent eavesdropping by British forces, who did not have the technology to follow the sequence.
-- https://en.wikipedia.org/wiki/Frequency-hopping_spread_spectrum#Multiple_inventors [wikipedia.org]
Spread-spectrum signals are highly resistant to deliberate jamming, unless the adversary has knowledge of the spreading characteristics. Military radios use cryptographic techniques to generate the channel sequence under the control of a secret Transmission Security Key (TRANSEC) that the sender and receiver share in advance.
-- https://en.wikipedia.org/wiki/Frequency-hopping_spread_spectrum#Military_use [wikipedia.org]
The subsequent paragraph on that page gives specific examples of military radio equipment. It's used not only by armies, but by navies as well.
> Little has changed since.
Right, apart from the transistor, the integrated circuit, the microprocessor, the ADC and DAC, digital electronics in general, information theory, block ciphers, error-correcting codes, radio communication is basically the same as it was in the 1930s.
(Score: 3, Informative) by DannyB on Wednesday October 05 2016, @03:59PM
> WTF does an important health care device need a WIRELESS connection
I know the answer because my daughter uses a different brand than the J&J pump from TFA.
1. If you use a sensor. This is a separate device with its own attachment to the body. It samples blood glucose every few minutes. It sends its readings to the pump. Now if the pump were set up to automatically dose insulin when the glucose monitoring sensor detects significantly rising blood glucose, it might be possible to spoof the pump into dosing insulin not needed. This is a potential vulnerability. The sensor and pump, on the brand I'm talking about (Medtronic) have a six digit code you choose on both the pump and sensor.
2. The pump can send it's log data to a USB dongle, which allows you to get that log data into your computer without the fuss of wires. The vendor's web site can upload that log data, if you have jumped through all the right hoops, and make it available to your doctor via a web site that the doctor can visit.
3. A woman may have the insulin pump under a dress, for example. Let's say a restaurant. Before eating, the user would dose themself with more insulin. Rather than have to lift up the dress, or take a visit to the restroom in order to access the pump's user interface, the user can use a wireless key fob to communicate to the pump, and get feedback from a couple beeps the pump will make.
Obviously security needs to be well thought out. Probably better thought out than it currently is.
One problem is that even the slightest changes to the design require a very long FDA approval process for a new model. So insulin pumps tend to be behind cell phones on technology. I remember when her insulin pump first got a color screen, and I thought, "it's about time".
In order to actually be FDA approved the pump AAA battery must be Eveready Energizer. I'm sure any AAA would work in a pinch. But this is what to use. And it's not worth playing any games with substitutions.
Is there a chemotherapy treatment for excessively low blood alcohol level?
(Score: 2) by Runaway1956 on Wednesday October 05 2016, @05:45PM
"slightest changes to the design require a very long FDA approval process"
On the other hand, the pharmaceuticals can get approval for new uses for old drugs and other underhanded tricks, relatively quick. Crazy, ain't it?
Hail to the Nibbler in Chief.
(Score: 2) by PocketSizeSUn on Wednesday October 05 2016, @06:41PM
Actually that's a bit different.
Once a drug is approved (in the market) a doctor can prescribe the drug for "off label uses".
Getting the drug on the market is hard, using it for something else is easy.
Drug pumps have a similar set of restrictions. A pump is approved for a specific drug, or subset of drugs. What drug is ultimately used can differ depending entirely on the Rx from the doc. My understanding is that it is quite a common situation for implanted devices to be delivering a cocktail that is technically "off label" is not particularly surprising to the manufacturer. It's ultimately up to the doc to put the right mix in and set the proper limits to provide the Rx.
(Score: 3, Touché) by FatPhil on Wednesday October 05 2016, @01:52PM
Trademarks are much cheaper. Let's do that instead.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 3, Insightful) by Arik on Wednesday October 05 2016, @02:13PM
"Getting too high or too low a dose of insulin could severely sicken or even kill."
So they made a device that they know can kill you, and rigged the controls using cleartext radio transmissions?
When are people going to jail for this?
If laughter is the best medicine, who are the best doctors?
(Score: 2) by FatPhil on Wednesday October 05 2016, @02:53PM
Anyway, I've got to jump in my old car and drive on the non-ABS motorway home.
Where I'll boil me a nice cuppa coffee using my caffeine-free kettle.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by Arik on Wednesday October 05 2016, @03:44PM
Funny, but there's a more charitable way to parse it.
"via its an unencrypted radio frequency communication system"
So I read 'unencrypted' and 'radio frequency' as separate adjectives modifying 'communication system' rather than reading 'unencrypted' as modifying 'radio frequency' - either being possible I would choose the one that makes sense.
The 'an' is completely out of place no matter how I parse though.
If laughter is the best medicine, who are the best doctors?
(Score: 2) by DannyB on Wednesday October 05 2016, @04:11PM
You know, they could just build the device with reasonable safeguards.
No wireless command can cause the pump to inject more than XX units of insulin per YY unit of time. To do that you need to use the keypad on the pump.
That would be sort of like an IoT thermostat being commanded to lower the temperature to 20 °F so the pipes freeze. Or heat the house to 110 °F in summer. Maybe the user should be able to set some sane limits on the thermostat which limit what IoT commands can actually do.
Is there a chemotherapy treatment for excessively low blood alcohol level?
(Score: 2) by MrGuy on Wednesday October 05 2016, @02:28PM
How would they know that? It might be accurate to say that there are no KNOWN instances of hacking. But it would, I imagine, be difficult-to-impossible to PROVE that none has ever been hacked. Have they gone back and looked at every single death by someone using the product, and checked for anomalities? Do the devices log sufficient information to even DETECT such anomalities?
(Score: 2) by takyon on Wednesday October 05 2016, @02:49PM
"Reported instances" I'd guess.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 2) by DannyB on Wednesday October 05 2016, @04:13PM
I bet the number of deaths from using the product is pretty near zero. And if there are any, they are probably explainable. The pump does keep logs.
Is there a chemotherapy treatment for excessively low blood alcohol level?
(Score: 2) by HiThere on Wednesday October 05 2016, @07:04PM
That's probably not a good bet. People using an insulin pump are not going to be the longest lived in their age group.
So unless the pump has just been released there's a quite good chance that some users have died even if the death had nothing to do with the pump. Proving it had nothing to do with the pump would probably be impossible. OTOH, if it was caused by the pump, it might well be equally impossible. Someone going into shock while driving on a freeway is not going to leave much evidence.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 4, Insightful) by Fnord666 on Wednesday October 05 2016, @03:40PM
(Score: 0) by Anonymous Coward on Wednesday October 05 2016, @03:54PM
Authentication can be sniffed and spoofed. Gotta encrypt to securely authenticate.
(Score: 0) by Anonymous Coward on Wednesday October 05 2016, @04:14PM
Now go read up on the next article about those new French bank cards, Mr. Smarty-pants.
(Score: 0) by Anonymous Coward on Wednesday October 05 2016, @05:06PM
So, an authenticated device will have some algorithm that matches the insulin pump for authentication? I'm not sure where you're going with this, that system could still be sniffed and spoofed. Also, if I was using one of these I would still prefer that the commands be encrypted so that some bored hacker can't start playing around. 3 digit security shouldn't take too long to brute force, and I don't think disabling the device over bad connection attempts is acceptable in this case...
I don't know how the French cards will handle that, but locking a bank account at least does not have immediate life and death consequences.
(Score: 1) by Scruffy Beard 2 on Wednesday October 05 2016, @08:17PM
Tree words:
Public key Encryption.
It can be used to authenticate, without encrypting the actual data by encrypting a secure hash of the data.
Useful if you are prohibited by law from encrypting the pay-load.